Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

Encryption required for Website storing personal details - GDPR

  • 19-11-2019 01:09PM
    #1
    19233974
    Registered Users, Registered Users 2 Posts: 120 ✭✭


    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?


Comments

  • #2
    Baz_
    Registered Users, Registered Users 2 Posts: 2,660 ✭✭✭Baz_


    Not to be too smart of an arse, but have you tried a search engine?


  • #3
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,705 ✭✭✭daymobrew


    AFAIK GDPR has nothing to do with encryption but to ensure you have permission to store data. Obviously you should do your best to ensure that access to the data is limited to authorised persons e.g. good passwords and secure code.


  • #4
    listermint
    Registered Users, Registered Users 2, Paid Member Posts: 34,332 ✭✭✭✭listermint


    Data should be obfuscated in he dB. It should only be stored if it has a current applicable need between the business and the customer. Once that need has expired the data should be wiped in full.

    Access to the data should be limited and should be logged when it has been accessed or modified.

    There should be regular automated processes to remove any expired data. So your retention policies need to be robust.


  • #5
    BailMeOut
    Registered Users, Registered Users 2 Posts: 3,078 ✭✭✭BailMeOut


    GDPR has rules relating to data breach or if data is stolen so you need to protect the user data properly. Encrypting the at rest mysql data is a good start but all the other normal best practises on security should be adhered to. Is the server behind a firewall, are proper rules in place, are you fully security patched all the time, do you use MFA and good passwords,SSL, etc,. ..

    Is this website publiclly accessible?


  • #6
    CSSE09
    Registered Users, Registered Users 2 Posts: 519 ✭✭✭CSSE09


    If you haven't already done it make sure the site is using ssl


  • Advertisement
  • #7
    28064212
    Registered Users, Registered Users 2 Posts: 11,105 ✭✭✭✭28064212


    GDPR isn't prescriptive (it can't be). It states:
    Article 5.1.f wrote:
    Personal data shall be:
    ...
    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
    "Appropriate security" is going to be highly dependent on your specific situation.

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • #8
    biko
    Registered Users, Registered Users 2 Posts: 81,060 ✭✭✭✭biko


    https://gdpr-info.eu/issues/encryption/


  • #9
    Jim2007
    Moderators, Business & Finance Moderators Posts: 11,096 Mod ✭✭✭✭Jim2007


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

    Well if you are hosting the website on a hosting service not under your control it really won't matter what encryption you use, it will be in breach of the rules in any case.


  • #10
    DeconSheridan
    Registered Users, Registered Users 2 Posts: 141 ✭✭DeconSheridan


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?
    At the high end your Business will be ISO/IEC 27001 compliant.
    At the low end your going to implement your own version of Information security by the choices you make.

    Encrypting the DB storage should really be the least of your worries and id be more focused on the front end attack vectors such as logins and admin logins, privileges users both customers and workers have and db service accounts asking the database server for data.

    A common mistake many make is having the Web Application DB credentials to your Database a Super user :eek: on the DB when really they might only require to RW and update credentials but maybe more. This can lead to potential disasters in the event of a breach and loss of data even whole databases.

    You do really need to lock down the Web Server and Database from the perspective of Sessions and Logins and who has access and what accounts are doing what including DB Service accounts.

    As Always backups (Regular) are king and can and do save the day! Id recommend VEEM, i'm not affiliated...


Advertisement